GAO: Mixed results thus far implementing FISMA

concept cybersecurity art

Federal agencies have improved compliance with information security requirements under the Federal Information Security Act , but checking all the boxes has not translated into taking full advantage of the enhancements that are available,  according to a Government Accountability Office report issued to Congress Sept. 26.

The report suggests that most of the 24 major federal agencies established many of the eight key information security program components laid forth by FISMA in fiscal 2012, but only partially fulfilled others. GAO evaluated its previous information security reports, the Office of Management and Budget's annual reports to Congress on FISMA implementation, reports from inspectors general and individual agency reports during the course of its review.

IG reports show the number of agencies that analyzed, validated and documented security incidents increased from 16 to 19 in the past fiscal year, but the number of agencies able to track identified weaknesses actually declined.

GAO states that all but one of the 24 major federal agencies had weaknesses in security controls intended to limit or detect access to computer resources.

In the report, OMB attributed the decline to "agencies not updating their policies and procedures after new federal requirements are established or new technologies are deployed."

In summary, agencies have seen some progress in FISMA implementation, but major weaknesses persist.

"Notwithstanding the mixed progress made, GAO and inspectors general continue to identify weaknesses in agencies' information security programs and make recommendations to mitigate the weaknesses identified," the GAO report states. "In addition, OMB and (the Department of Homeland Security) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, focused mainly on compliance rather than effectiveness of controls, and in many cases did not identify specific performance targets for determining levels of implementation."

GAO's report culminates with recommendations to OMB and DHS to "develop compliance metrics related to periodic assessments of risk and development of subordinate security plans" and to develop better metrics for IGs to report on the effectiveness of agency information security programs.

OMB agreed with the recommendations but did not provide any comment, while DHS provided a written response indicating action it plans to take.

About the Author

Frank Konkel is a former staff writer for FCW.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group